Reveal Product Feedback
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Reveal API integration, but it gives the agent broad account-changing power and has weak boundaries around where credentials and webhook data can go.
Use this only if you trust the Reveal account integration. Keep REVEAL_API_KEY private, do not set REVEAL_BASE_URL unless you fully trust the endpoint, and require explicit approval before creating tasks, changing tasks, rendering videos, marking notifications, or registering webhooks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Reveal API key could be exposed to the wrong server if REVEAL_BASE_URL is set incorrectly or maliciously.
The Reveal API key is expected, but the optional base URL override is not bounded to Reveal-owned domains, so a misconfigured or manipulated environment could cause the agent to send the Bearer token to a non-Reveal endpoint.
Every request uses this header: Authorization: Bearer $REVEAL_API_KEY ... Base URL: https://www.testreveal.ai/api/v1 (Override with REVEAL_BASE_URL env var if set.)
Only use the default Reveal API URL unless you explicitly trust the override target; the skill should declare REVEAL_BASE_URL and restrict or warn on non-Reveal domains.
The agent could create or modify review tasks with inferred fields or default reviewer counts before you have reviewed the final action.
These are legitimate Reveal actions, but they mutate the user's account and may initiate reviewer work; the workflow confirms after creation/update rather than requiring a clear approval step before the mutation.
Create a review task ... POST `/review-tasks` ... `requiredReviewers`: 5 ... Confirm creation with task ID and details; Update a review task ... PATCH `/review-tasks/{taskId}`Require explicit user approval before any POST, PATCH, PUT, or DELETE action, including product/task IDs, reviewer count, generated content, and expected side effects.
Future feedback, analysis, task, or video events may be sent to an external endpoint until the webhook is removed.
Registering a webhook creates a persistent external event flow. The artifact identifies events and a user-provided URL, but does not describe payload sensitivity, endpoint ownership checks, or a confirmation/removal workflow in the registration steps.
POST `/webhooks` with body: { url: `https://user-provided-url`, events: [`review.submitted`, `review.analyzed`, `task.completed`, `video.generated`] }Register webhooks only for URLs you control, limit subscribed events, confirm the payload and retention expectations, store the signing secret securely, and remove webhooks when no longer needed.